S
SkillsMD 发现、学习和掌握最新的 AI 技术 Skills。基于真实社区数据,为开发者提供最权威的 AI 工具导航。
关于 聚焦 AI 技术 Skills 每周数据更新 中英双语文档 © 2026 SkillsMD. All rights reserved.
Vibe Security 安全扫描器 - 多语言代码漏洞检测与AI智能修复工具 | SkillsMD
首页 / Skills / vibe-security Vibe Security 安全扫描器 - 多语言代码漏洞检测与AI智能修复工具 vibe-security by 0x8506/vibe-security
npx skills add https://github.com/0x8506/vibe-security --skill vibe-security🇨🇳 中文介绍 Vibe Security - 安全智能
适用于多种语言和框架的综合性安全扫描器和代码分析器,用于识别漏洞。
前提条件
检查是否已安装 Node.js:
node --version
如果未安装 Node.js,请根据用户的操作系统进行安装:
macOS:
brew install node
Ubuntu/Debian:
sudo apt update && sudo apt install nodejs npm
Windows:
winget install OpenJS.NodeJS
推荐的 AI 模型
最佳安全分析
我们建议将以下 AI 模型与 Vibe Security 配合使用,以实现最佳的安全漏洞检测和代码修复效果:
Claude Opus 4.5 (推荐)
用于全面安全分析的最先进模型
具备卓越的推理能力,可检测复杂漏洞
擅长识别细微的安全缺陷和攻击向量
最适合关键安全审计、企业代码库和生产部署
提供最全面的安全修复策略
Claude Sonnet 4.5
在速度和安全分析深度之间取得极佳平衡
擅长理解安全上下文并识别漏洞
提供附带详细解释的安全修复策略
非常适合日常开发和大多数安全工作流
🇺🇸 English Vibe Security - Security Intelligence
Comprehensive security scanner and code analyzer for identifying vulnerabilities across multiple languages and frameworks.
Prerequisites
Check if Node.js is installed:
node --version
If Node.js is not installed, install it based on user's OS:
macOS:
brew install node
Ubuntu/Debian:
sudo apt update && sudo apt install nodejs npm
Windows:
winget install OpenJS.NodeJS
Recommended AI Models
For Best Security Analysis
We recommend using these AI models with Vibe Security for optimal security vulnerability detection and code fixing:
Claude Opus 4.5 (Recommended)
Most advanced model for comprehensive security analysis
Superior reasoning capabilities for complex vulnerability detection
Exceptional at identifying subtle security flaws and attack vectors
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
联系我们
Claude Opus 4
适用于复杂安全审计和企业代码库的强大模型
具备深度推理能力,可进行高级漏洞分析
最适合关键安全审查和合规性要求
推荐用于生产部署和敏感应用程序
GPT-4o
快速高效,适用于具备安全意识的代码生成
响应速度快,是很好的替代选择
非常适合 CI/CD 集成和自动化扫描
对于大型项目具有成本效益
Claude Sonnet 4
用于快速安全扫描的更快替代方案
在速度和准确性之间取得良好平衡
适用于开发过程中的快速迭代
o1-preview
专为复杂的安全架构审查而设计
具备高级推理能力,可分析错综复杂的漏洞链
最适合安全研究和深度代码审计
GPT-4o-mini
适用于快速检查和初步扫描
最具成本效益的选择
适用于学习和教育用例
注意 :如果您未使用上述推荐模型之一,请考虑升级以获得更好的安全分析结果。较低层级的模型可能会遗漏细微漏洞或提供准确性较低的修复建议。
如何使用此技能 当用户请求安全相关工作时(扫描、分析、修复、审计、检查、审查漏洞),请遵循以下工作流程:
步骤 1:分析安全上下文
语言 :JavaScript、Python、Java、PHP 等。框架 :Express、Django、Spring、Laravel 等。漏洞类型 :SQL 注入、XSS、CSRF、身份验证等。范围 :单个文件、目录或完整项目
步骤 2:运行安全分析 # AST 语义分析(误报率降低 90%)
python3 .claude/skills/vibe-security/scripts/ast_analyzer.py "<file>"
# 数据流分析(跟踪从源头到汇聚点的污染数据)
python3 .claude/skills/vibe-security/scripts/dataflow_analyzer.py "<file>"
# CVE 和依赖项漏洞扫描
python3 .claude/skills/vibe-security/scripts/cve_integration.py .
# 供应链安全(恶意软件包、域名抢注)
python3 .claude/skills/vibe-security/scripts/cve_integration.py . --ecosystem npm
# 基础设施即代码安全
grep -r "publicly_accessible.*=.*true" . --include="*.tf"
grep -r "privileged:.*true" . --include="*.yaml"
# 使用搜索工具查找特定模式
python3 .claude/skills/vibe-security/scripts/search.py "sql-injection" --domain pattern
python3 .claude/skills/vibe-security/scripts/search.py "javascript" --domain pattern --severity critical
步骤 3:按严重性分析漏洞
SQL 注入
远程代码执行
身份验证绕过
硬编码密钥
XSS(跨站脚本攻击)
CSRF
不安全的加密
授权问题
步骤 4:获取修复建议 # 获取智能修复建议并生成测试
python3 .claude/skills/vibe-security/scripts/fix_engine.py \
--type sql-injection \
--language javascript \
--code "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)"
# 输出包括:
# - 附带上下文感知修正的修复后代码
# - 修复的详细说明
# - 自动生成的安全测试
# - 额外建议
# - 置信度分数(0-100%)
步骤 5:应用安全修复 # 应用修复并自动备份
python3 .claude/skills/vibe-security/scripts/autofix_engine.py apply \
--file src/database.js \
--line 45 \
--type sql-injection \
--original "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)" \
--fixed "db.query('SELECT * FROM users WHERE id = $1', [userId])"
# 测试您的更改
npm test
# 如果需要,回滚(安全实验!)
python3 .claude/skills/vibe-security/scripts/autofix_engine.py rollback
# 查看修复历史
python3 .claude/skills/vibe-security/scripts/autofix_engine.py history
首先处理严重漏洞 添加输入验证 - 白名单、类型检查、长度限制保护输出 - 转义、编码、清理修复身份验证/授权 - 强密码、MFA、RBAC更新加密方法 - 现代算法、安全随机数彻底测试 - 验证修复不会破坏功能重新扫描 - 确认所有漏洞均已解决
步骤 6:生成报告 # 带有图表和统计数据的精美 HTML 报告
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format html \
--output security-report.html
# SARIF 格式,用于 GitHub 代码扫描集成
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format sarif \
--output results.sarif
# CSV 格式,用于电子表格分析
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format csv \
--output vulnerabilities.csv
# JSON 格式,用于 CI/CD 流水线
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format json \
--output security-report.json
高级功能
1. 使用 AST 进行语义分析
Python :完整的 AST 分析,附带污染跟踪JavaScript/TypeScript :启发式 + 基于模式的分析优势 :误报率降低 90%,具备上下文感知能力
2. 数据流分析
通过数据流检测 SQL 注入、XSS、命令注入
识别受污染的变量及其传播
支持 Python 和 JavaScript/TypeScript
3. 合规性映射
OWASP Top 10 2021 CWE (常见缺陷枚举)MITRE ATT&CK 技术NIST 网络安全框架PCI-DSS 支付卡要求
4. 供应链安全
域名抢注检测
依赖项混淆攻击
恶意安装脚本
软件包中的网络操作
支持:npm、PyPI、Maven、Gradle、Cargo、Go、RubyGems、NuGet、Composer
5. 基础设施即代码
Terraform :AWS、Azure、GCP 配置错误Kubernetes :Pod 安全、RBAC 问题Docker :Dockerfile 最佳实践CloudFormation :AWS 模板安全Ansible :Playbook 漏洞
安全检查参考
可用的漏洞检查 检查类型 检测内容 示例问题 sql-injectionSQL/NoSQL 注入 查询中的字符串拼接、未清理的输入 xss跨站脚本攻击 innerHTML 使用、未转义的输出、DOM 操作 command-injection操作系统命令注入 shell=True、使用用户输入的 exec path-traversal目录遍历 未清理的文件路径、路径中的 ../.. auth-issues身份验证缺陷 弱密码、缺少 MFA、不安全的会话 authz-issues授权缺陷 缺少访问控制、IDOR、权限提升 crypto-failures加密问题 MD5/SHA1 使用、弱密钥、不安全的随机数 sensitive-data数据暴露 记录密码、暴露 PII、硬编码密钥 deserialization不安全的反序列化 pickle、eval、对用户输入进行反序列化 security-config配置错误 CORS、CSP、标头、错误消息 dependencies易受攻击的软件包 npm/pip/composer 软件包中的 CVE
特定语言的安全模式
JavaScript/TypeScript // ✅ 安全:参数化查询
const user = await db.query("SELECT * FROM users WHERE id = $1", [userId]);
// ❌ 易受攻击:SQL 注入
const user = await db.query(`SELECT * FROM users WHERE id = ${userId}`);
// ✅ 安全:转义输出
element.textContent = userInput;
const clean = DOMPurify.sanitize(htmlContent);
// ❌ 易受攻击:XSS
element.innerHTML = userInput;
// ✅ 安全:输入验证
const email = validator.isEmail(input) ? input : null;
// ❌ 易受攻击:无验证
const email = req.body.email;
Python # ✅ 安全:参数化查询
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# ❌ 易受攻击:SQL 注入
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# ✅ 安全:密码哈希
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
# ❌ 易受攻击:明文
user.password = password
# ✅ 安全:安全的子进程
subprocess.run(['ls', '-la', sanitized_dir])
# ❌ 易受攻击:命令注入
os.system(f'ls -la {user_dir}')
PHP // ✅ 安全:预处理语句
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$userId]);
// ❌ 易受攻击:SQL 注入
$result = mysqli_query($conn, "SELECT * FROM users WHERE id = $userId");
// ✅ 安全:输出转义
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
// ❌ 易受攻击:XSS
echo $userInput;
// ✅ 安全:密码哈希
$hash = password_hash($password, PASSWORD_ARGON2ID);
// ❌ 易受攻击:MD5
$hash = md5($password);
示例工作流程 用户请求: "检查我的 Express 应用程序是否存在安全漏洞"
# 1. 在项目上运行安全扫描
python3 .claude/skills/vibe-security/scripts/scan.py "./src" --language javascript
# 2. 按严重性分析结果
# 输出可能显示:
# 严重:src/controllers/user.js:45 处存在 SQL 注入
# 高:src/views/profile.ejs:12 处存在 XSS
# 中:/api/login 缺少速率限制
# 低:Console.log 包含敏感数据
# 3. 首先修复严重问题
# - 审查 src/controllers/user.js:45
# - 将字符串拼接替换为参数化查询
# - 使用验证器库添加输入验证
# 4. 修复高严重性问题
# - 审查 src/views/profile.ejs:12
# - 使用 <%- 进行 HTML 转义,或使用 DOMPurify 处理富内容
# - 实施内容安全策略
# 5. 修复中严重性问题
# - 安装 express-rate-limit 中间件
# - 在身份验证端点上配置速率限制
# - 添加 helmet 以设置安全标头
# 6. 修复低严重性问题
# - 删除或编辑敏感的 console.log 语句
# - 使用具有日志级别的适当日志记录库
# 7. 生成安全报告
python3 .claude/skills/vibe-security/scripts/report.py "./src"
安全开发技巧
验证所有输入 - 使用白名单,而非黑名单编码所有输出 - 使用适合上下文的转义使用参数化查询 - 切勿拼接 SQL正确哈希密码 - bcrypt、Argon2、scrypt实施 MFA - 添加第二因素身份验证处处使用 HTTPS - 加密传输中的数据保持依赖项更新 - 修补已知漏洞遵循最小权限原则 - 仅授予必要的最小权限记录安全事件 - 监控攻击行为定期安全审计 - 每次发布前进行扫描
集成示例
预提交钩子 #!/bin/bash
# .git/hooks/pre-commit
python3 .claude/skills/vibe-security/scripts/scan.py "." --fail-on critical
CI/CD 流水线 - name: Security Scan
run: |
python3 .claude/skills/vibe-security/scripts/scan.py "." --format json
security_scan:
script:
- python3 .claude/skills/vibe-security/scripts/scan.py "."
资源
Best for critical security audits, enterprise codebases, and production deployments
Provides the most thorough security remediation strategies
Claude Sonnet 4.5
Excellent balance of speed and security analysis depth
Great at understanding security context and identifying vulnerabilities
Provides safe remediation strategies with detailed explanations
Ideal for daily development and most security workflows
Claude Opus 4
Powerful for complex security audits and enterprise codebases
Deep reasoning capabilities for advanced vulnerability analysis
Best for critical security reviews and compliance requirements
Recommended for production deployments and sensitive applications
GPT-4o
Fast and efficient for security-aware code generation
Good alternative with quick response times
Excellent for CI/CD integration and automated scanning
Cost-effective for large-scale projects
Claude Sonnet 4
Faster alternative for quick security scans
Good balance of speed and accuracy
Suitable for rapid iteration during development
o1-preview
Specialized for complex security architecture reviews
Advanced reasoning for intricate vulnerability chains
Best for security research and deep code audits
GPT-4o-mini
Quick checks and preliminary scans
Most cost-effective option
Good for learning and educational use cases
Note : If you're not using one of the recommended models above, consider upgrading for better security analysis results. Lower-tier models may miss subtle vulnerabilities or provide less accurate fix suggestions.
How to Use This Skill When user requests security work (scan, analyze, fix, audit, check, review vulnerabilities), follow this workflow:
Step 1: Analyze Security Context Extract key information from user request:
Language : JavaScript, Python, Java, PHP, etc.Framework : Express, Django, Spring, Laravel, etc.Vulnerability type : SQL injection, XSS, CSRF, authentication, etc.Scope : Single file, directory, or full project
Step 2: Run Security Analysis Advanced Analysis (Recommended):
# AST-based semantic analysis (90% fewer false positives)
python3 .claude/skills/vibe-security/scripts/ast_analyzer.py "<file>"
# Data flow analysis (tracks tainted data from sources to sinks)
python3 .claude/skills/vibe-security/scripts/dataflow_analyzer.py "<file>"
# CVE & dependency vulnerability scanning
python3 .claude/skills/vibe-security/scripts/cve_integration.py .
# Supply chain security (malicious packages, typosquatting)
python3 .claude/skills/vibe-security/scripts/cve_integration.py . --ecosystem npm
# Infrastructure as Code security
grep -r "publicly_accessible.*=.*true" . --include="*.tf"
grep -r "privileged:.*true" . --include="*.yaml"
# Use search utility for specific patterns
python3 .claude/skills/vibe-security/scripts/search.py "sql-injection" --domain pattern
python3 .claude/skills/vibe-security/scripts/search.py "javascript" --domain pattern --severity critical
Step 3: Analyze Vulnerabilities by Severity Critical (Fix immediately):
SQL Injection
Remote Code Execution
Authentication Bypass
Hardcoded Secrets
XSS (Cross-Site Scripting)
CSRF
Insecure Cryptography
Authorization Issues
Missing Input Validation
Information Disclosure
Weak Password Policy
Missing Security Headers
Code Quality Issues
Best Practice Violations
Performance Concerns
Step 4: Get Fix Suggestions # Get intelligent fix recommendations with test generation
python3 .claude/skills/vibe-security/scripts/fix_engine.py \
--type sql-injection \
--language javascript \
--code "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)"
# Output includes:
# - Fixed code with context-aware corrections
# - Detailed explanation of the fix
# - Auto-generated security test
# - Additional recommendations
# - Confidence score (0-100%)
Step 5: Apply Security Fixes Auto-Fix with Rollback Support:
# Apply fix with automatic backup
python3 .claude/skills/vibe-security/scripts/autofix_engine.py apply \
--file src/database.js \
--line 45 \
--type sql-injection \
--original "db.query(\`SELECT * FROM users WHERE id = \${userId}\`)" \
--fixed "db.query('SELECT * FROM users WHERE id = $1', [userId])"
# Test your changes
npm test
# Rollback if needed (safe to experiment!)
python3 .claude/skills/vibe-security/scripts/autofix_engine.py rollback
# View fix history
python3 .claude/skills/vibe-security/scripts/autofix_engine.py history
Critical vulnerabilities first Add input validation - Whitelist, type checking, length limitsSecure outputs - Escape, encode, sanitizeFix authentication/authorization - Strong passwords, MFA, RBACUpdate cryptography - Modern algorithms, secure randomTest thoroughly - Verify fixes don't break functionalityRe-scan - Confirm all vulnerabilities are resolved
Step 6: Generate Reports # Beautiful HTML report with charts and statistics
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format html \
--output security-report.html
# SARIF format for GitHub Code Scanning integration
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format sarif \
--output results.sarif
# CSV for spreadsheet analysis
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format csv \
--output vulnerabilities.csv
# JSON for CI/CD pipelines
python3 .claude/skills/vibe-security/scripts/reporter.py scan-results.json \
--format json \
--output security-report.json
Advanced Capabilities
1. Semantic Analysis with AST Uses Abstract Syntax Tree parsing for accurate vulnerability detection:
Python : Full AST analysis with taint trackingJavaScript/TypeScript : Heuristic + pattern-based analysisBenefits : 90% reduction in false positives, context-aware
2. Data Flow Analysis Tracks user input from sources to dangerous sinks:
Detects SQL injection, XSS, command injection through data flow
Identifies tainted variables and their propagation
Supports Python and JavaScript/TypeScript
3. Compliance Mapping Maps every vulnerability to industry standards:
OWASP Top 10 2021 CWE (Common Weakness Enumeration)MITRE ATT &CK techniquesNIST cybersecurity frameworkPCI-DSS payment card requirements
4. Supply Chain Security Protects against malicious dependencies:
Typosquatting detection
Dependency confusion attacks
Malicious install scripts
Network operations in packages
Supports: npm, PyPI, Maven, Gradle, Cargo, Go, RubyGems, NuGet, Composer
5. Infrastructure as Code Scans cloud infrastructure configurations:
Terraform : AWS, Azure, GCP misconfigurationsKubernetes : Pod security, RBAC issuesDocker : Dockerfile best practicesCloudFormation : AWS template securityAnsible : Playbook vulnerabilities
Security Check Reference
Available Vulnerability Checks Check Type Detects Example Issues sql-injectionSQL/NoSQL injection String concatenation in queries, unsanitized input xssCross-Site Scripting innerHTML usage, unescaped output, DOM manipulation command-injectionOS command injection shell=True, exec with user input path-traversalDirectory traversal Unsanitized file paths, ../.. in paths auth-issuesAuthentication flaws Weak passwords, missing MFA, insecure sessions authz-issuesAuthorization flaws Missing access controls, IDOR, privilege escalation crypto-failuresCryptographic issues MD5/SHA1 usage, weak keys, insecure random sensitive-dataData exposure Logging passwords, exposing PII, hardcoded secrets deserializationUnsafe deserialization pickle, eval, unserialize on user input security-configMisconfiguration CORS, CSP, headers, error messages dependenciesVulnerable packages CVEs in npm/pip/composer packages
Language-Specific Security Patterns
JavaScript/TypeScript // ✅ SECURE: Parameterized query
const user = await db.query("SELECT * FROM users WHERE id = $1", [userId]);
// ❌ VULNERABLE: SQL injection
const user = await db.query(`SELECT * FROM users WHERE id = ${userId}`);
// ✅ SECURE: Escape output
element.textContent = userInput;
const clean = DOMPurify.sanitize(htmlContent);
// ❌ VULNERABLE: XSS
element.innerHTML = userInput;
// ✅ SECURE: Input validation
const email = validator.isEmail(input) ? input : null;
// ❌ VULNERABLE: No validation
const email = req.body.email;
Python # ✅ SECURE: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# ❌ VULNERABLE: SQL injection
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
# ✅ SECURE: Password hashing
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
# ❌ VULNERABLE: Plain text
user.password = password
# ✅ SECURE: Safe subprocess
subprocess.run(['ls', '-la', sanitized_dir])
# ❌ VULNERABLE: Command injection
os.system(f'ls -la {user_dir}')
PHP // ✅ SECURE: Prepared statement
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$userId]);
// ❌ VULNERABLE: SQL injection
$result = mysqli_query($conn, "SELECT * FROM users WHERE id = $userId");
// ✅ SECURE: Output escaping
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
// ❌ VULNERABLE: XSS
echo $userInput;
// ✅ SECURE: Password hashing
$hash = password_hash($password, PASSWORD_ARGON2ID);
// ❌ VULNERABLE: MD5
$hash = md5($password);
Example Workflow User request: "Check my Express app for security vulnerabilities"
# 1. Run security scan on the project
python3 .claude/skills/vibe-security/scripts/scan.py "./src" --language javascript
# 2. Analyze results by severity
# Output might show:
# CRITICAL: SQL Injection in src/controllers/user.js:45
# HIGH: XSS in src/views/profile.ejs:12
# MEDIUM: Missing rate limiting on /api/login
# LOW: Console.log contains sensitive data
# 3. Fix critical issues first
# - Review src/controllers/user.js:45
# - Replace string concatenation with parameterized query
# - Add input validation using validator library
# 4. Fix high severity issues
# - Review src/views/profile.ejs:12
# - Use <%- for HTML escaping or DOMPurify for rich content
# - Implement Content Security Policy
# 5. Fix medium severity issues
# - Install express-rate-limit middleware
# - Configure rate limiting on authentication endpoints
# - Add helmet for security headers
# 6. Fix low severity issues
# - Remove or redact sensitive console.log statements
# - Use proper logging library with log levels
# 7. Generate security report
python3 .claude/skills/vibe-security/scripts/report.py "./src"
Tips for Secure Development
Validate all inputs - Use allowlists, not denylistsEncode all outputs - Context-appropriate escapingUse parameterized queries - Never concatenate SQLHash passwords properly - bcrypt, Argon2, scryptImplement MFA - Add second factor authenticationUse HTTPS everywhere - Encrypt data in transitKeep dependencies updated - Patch known vulnerabilitiesFollow principle of least privilege - Minimal necessary permissionsLog security events - Monitor for attacksRegular security audits - Scan before every release
Integration Examples
Pre-commit Hook #!/bin/bash
# .git/hooks/pre-commit
python3 .claude/skills/vibe-security/scripts/scan.py "." --fail-on critical
CI/CD Pipeline - name: Security Scan
run: |
python3 .claude/skills/vibe-security/scripts/scan.py "." --format json
security_scan:
script:
- python3 .claude/skills/vibe-security/scripts/scan.py "."
Resources SEO与AEO最佳实践指南:优化内容适配传统搜索与AI答案引擎
